nanog mailing list archives
Re: BCP38 is hard, was TWC (AS11351) blocking all NTP?
From: Octavio Alvarez <alvarezp () alvarezp ods org>
Date: Tue, 04 Feb 2014 15:00:18 -0800
On 04/02/14 14:18, John Levine wrote:
I was at a conference with people from some Very Large ISPs. They told me that many of their large customers absolutely will not let them do BCP38 filtering. ("If you don't want our business, we can find someone else who does.") The usual problem is that they have PA space from two providers and for various reasons, not all of which are stupid, traffic with provider A's addresses sometimes goes out through provider B. Adding to the excitement, some of these customers are medium sized ISPs with multihomed customers of their own.
I haven't read it all, but section 3 says:
However, by restricting transit traffic which originates from a downstream network to known, and intentionally advertised, prefix(es), the problem of source address spoofing can be virtually eliminated in this attack scenario.
If ISP has customer A with multiple *known* valid networks --doesn't matter if ISP allocated them to customer or not-- and ISP lets them all out, but filters everything else, ISP is still complying with BCP 38.
Here it's not a matter of blocking "just because". It's blocking unknown addresses. It doesn't either mean that ISP should not open the filters if a new prefix is requested by the customer.
Current thread:
- Re: TWC (AS11351) blocking all NTP?, (continued)
- Re: TWC (AS11351) blocking all NTP? Michael Smith (Feb 06)
- Re: TWC (AS11351) blocking all NTP? Doug Barton (Feb 04)
- Re: TWC (AS11351) blocking all NTP? William Herrin (Feb 04)
- Re: TWC (AS11351) blocking all NTP? Christopher Morrow (Feb 04)
- Re: TWC (AS11351) blocking all NTP? Majdi S. Abbas (Feb 04)
- Re: TWC (AS11351) blocking all NTP? William Herrin (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? John Levine (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Paul Ferguson (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Chuck Anderson (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? William Herrin (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Octavio Alvarez (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? John R. Levine (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? William Herrin (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? John Levine (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Mark Andrews (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Randy Bush (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Jay Ashworth (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Saku Ytti (Feb 05)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Jared Mauch (Feb 05)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Saku Ytti (Feb 05)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Octavio Alvarez (Feb 04)